[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: [strongSwan] some questions about the usage of X.509 certificates
From: andreas.steffen () strongsec ! net (Andreas Steffen)
Date: 2005-10-12 9:40:00
Message-ID: 434CBDC4.5080503 () strongsec ! net
[Download RAW message or body]
凝敢凰(DU Chun-yan) wrote:
> Hi,all! My opinion about the whole process of the X.509 certificates
> in strongswan is as follows. Is it right? If auth is RSA and no
> preloaded public key exists in local, the responsor(R) will firstly
> send "certificate request" in 4th message of main mode Phase 1,
> forming CR payload(the supported CA authority included) to the
> initiator(I) at the same time.
This is correct. You can suppress the emission of CR payloads with the
nocrsend=yes option in the config setup section of ipsec.conf.
>Then in 5th message the (I) must send
> its certificate to the (R). Meanwhile, if the (I) doesn't have the
> other party's pubkey, certificate request(cr) payload will be sent to
> the (R).
This is correct.
In 6th message, (R) verifies (I)'s signature with the pubkey
> contained in cert payload. Then sends its certificate to (I).
> Finally, (I) verifies (R)'s indentity.
This is correct.
> Then here are my questions: According to RFC2408 section3.10, "for an
> X.509 certificate this field would contain the Distinguished Name
> encoding of the Issuer Name of an X.509 certificate authority
> acceptable to the sender of this payload. This would be included to
> assist the responder in determining how much of the certificate chain
> would need to be sent in response to this request. " question 1:
> According to the code in function "build_and_ship_CR()", the CA
> authority seems to be "st->st_connection->spd.that.ca" . But where
> does "spd.that.ca" come from? How to set up the configuration in
> Strongswan for determining the CA Issuer ?
The requested CA can be defined using
rightca="<distinguished name of desired CA>"
In most cases the following simplification can be used:
rightca=%same
which means that a cert issued by the same CA we possess a cert
from is requested.
question 2: Does
> strongswan supports certificate cross validation? If not, since the
> CR payload could dertermine the certificate chain, is there any
> interface for users to add link construction to support this?
strongSwan doesn't support cross validitation (CA 2 signs public key
of CA 1) but you can import as many root CA certs as you like which
allows you to accept multiple validation chains. Use the rightca
option to control which CAs you are going to accept for a given
connection.
> question 3: Does it need to preload its certificate in local for each
> other before running stronswan? If both certificates are not in
> local, Could strongswan just send the URL of LDAP servers where
> certificates store to each other? Then the gateway could fetch the
> other's certificate directly. Otherwise both have to fetch one's own
> certificate in advance and send it to the other.
The certificate fetching feature hasn't been implemented yet but
is somewhere high up on the TODO list.
>
>
> Regards, Rebecca 210313041@suda.edu.cn
> 2005-10-11
Regards
Andreas
=======================================================================
Andreas Steffen e-mail: andreas.steffen@strongsec.com
strongSec GmbH home: http://www.strongsec.com
Alter Z┨richweg 20 phone: +41 1 730 80 64
CH-8952 Schlieren (Switzerland) fax: +41 1 730 80 65
==========================================[strong internet security]===
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic